The computing world has mobilized en masse in response to the revelation of Meltdown and Spectre, vulnerabilities in computer processors that could open most of the world’s PCs and mobile devices to “side-channel attacks” that could steal data.
The vulnerabilities have existed for decades and there are no known exploits of them to date, but now that they’ve been discovered and disclosed, remediation is imperative. It’s a knotty problem affecting a wide range of processing chips and requires a complex set of fixes involving multiple players including chip-makers Intel, AMD, Qualcomm, and ARM. It also affects hardware manufacturers and software giants like Microsoft, Apple, Google, Amazon, and the Linux Project.
Updates have been released, and in some cases, like with Windows 10, installed automatically or are forthcoming. This can mitigate the problem for many users. But the response also is an example of the perpetual vulnerability/patch cycle that has been a trademark of cybersecurity. What’s different in this case is that it involves hardware, and while software updates can help, the remedy ultimately could come down to replacing the CPU hardware, as U.S. Computer Response Readiness Team (US-CERT) has suggested.
All of which raises the question (again) of whether hardware components can be made more secure from the get-go, thus avoiding the kind of fire-drill headaches that result when flaws (which in this case have existed for decades), are revealed.
One answer could start with designs for a hack-resistant processor like the one developed by Draper Laboratories as part of a Pentagon-funded project intended precisely to make hardware more secure. The lab’s Inherently Secure Processor (ISP) is intended to “provide silicon chip developers and manufacturers with a design that embeds security directly into hardware at the processor level,” Paul Rosenstrach, Draper’s principal director of Special Programs, said in a statement. Implemented as a co-processor and customizable to a customer’s embedded solution, “ISP hardware enforces customizable software-defined security rules, enabling system designers to develop individual policies that fit their application,” Rosenstrach said.
ISP was developed with funding from the Defense Advanced Research Projects Agency, which last week awarded Draper a $9.8 million contract to continue work under the agency’s System Security Integrated Through Hardware and Firmware, or SSITH, program. Building on earlier programs, SSITH was launched last April to tackle hardware vulnerabilities from the ground up, rather than relying on software patches that treat the symptoms of a vulnerability.
“To break this cycle and thwart both today and tomorrow’s software attacks, the SSITH program challenges researchers to design security directly at the hardware architecture level,” said Linton Salmon, SSITH’s program manager. “Instead of relying on software Band-Aids to hardware-based security issues, we are aiming to remove those hardware vulnerabilities in ways that will disarm a large proportion of today’s software attacks.”
The program targets the seven types of hardware vulnerabilities in the Common Weakness Enumeration, a compilation sponsored by US-CERT and hosted by the Mitre Corp. Eliminating those hardware flaws would take away more than 40 percent of the software channels that hackers can use.
Security experts have long complained that computer security is too often tacked on at the end of the development process rather than baked in at the beginning. Programs such as SSITH and processors like ISP could help avoid the mayhem involved with vulnerabilities like Meltdown and Spectre by securing hardware from the start.